Re: [squid-users] cache_peer login option

From: John Morton <jwm@dont-contact.us>
Date: Thu, 23 Dec 2004 16:44:33 +1300

Henrik Nordstrom wrote:

> You can chain any number of redirectors. Search for Open2 in the
> archives.
>
> If you need acl policies after redirection then it's another story.

Unfortunately I do.

> With a small wrapper having knowledge of the opt-out groups this
> shouldn't be too hard.

I see that the redirector API sends ident based user names to the
redirector. I can't gaurentee that ident is working everywhere on the
network I'm on, so I'm prefering using proxy_auth user names instead.
Will squid (2.5-STABLE3) use proxy_auth based names in preference?

>> on the child server, and have it propagate the user name information
>> back to the parent using the login=*:password option, and have the
>> parent server run adzapper for everyone not in the opt out group.
>
>
> Alternatively you can use login=PASS and have configuration configured
> the same on both (assumes Basic authentication).

I'm planning on using NTLM in the future, in the absence of a digest
authenticator that will backend onto winbind, so that's not an option
for me.

>
>> My guess is that the parent will need an external authenticator that
>> will validate any user if the correct password is supplied, but will
>> only allow access to the child proxy(s). Does that sound right?
>
>
> Yes. When using the login=*:password approach then Squid will use
> "password" as the password for all users when forwarding the request.
>
> You should take care to only allow requests from the child cache IP in
> such configurations.

Ah - good. IP restrictions where the plan; the child in this case will
always run on the same machine as the parent. One thing I'd like to do
would be to bind the parent squid instance to the loopback address only,
but I haven't seen a directive to specify a tcp address.

>> Are there any standard authenticators that come with squid for this
>> task?
>
>
> The ncsa_auth helper is somewhat reasonable, using a local file
> (created by htpasswd). Or you can whip up your own just looking at the
> static password, i.e. something like the following:
>
> #!/bin/sh
> while read user password; do
> if [ "$password" = "thesecretpassword" ]; then
> echo "OK"
> else
> echo "ERR"
> fi
> done

Thanks. I'll try that out.

John
Received on Wed Dec 22 2004 - 20:45:42 MST

This archive was generated by hypermail pre-2.1.9 : Sat Jan 01 2005 - 12:00:02 MST